Over 1 million tech questions and answers.

Security Compromised

Q: Security Compromised

I recently left my computer unattended (6-Jun) and for some reason the system did not lock after the first few minutes of inactivity. I have reason to believe my machine may have been tampered with. I'm concerned a keylogger may have been installed. Not sure that's what it's called but basically spyware that reports back to someone what's being done on a computer. A colleague's crazy ex did something like this to her.

Not to sound like a patient in a doctor's office with a vague symptom like fatigue but my laptop is running very slow and always seems to be chugging away at something (sounds like it's continually accessing the hard drive).

Many thanks in advance for any help you can offer ... it will help me sleep at night! Following is the log from DDS and attached are the logs from DDS and GMER.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 16:17:03.73 on Thu 06/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.214 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Documents and Settings\Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.ca/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\fjdvrupd.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: mts.mb.ca\employees
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194233323809
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219885237613
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {6136FF78-D107-470A-9E7D-F9F2F2441BF8} = 195.238.2.21 195.238.2.22
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 XPROTECTOR;XPROTECTOR;c:\windows\system32\drivers\Oreans.sys [2009-6-7 41888]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-3-10 93960]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-2 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2008-12-2 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-1 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-12-2 677128]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2004-9-13 191264]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2004-9-13 5760]
R3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [2005-6-19 1252474]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-1 335376]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]

=============== Created Last 30 ================

2009-06-07 18:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-07 18:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-07 08:59 41,888 a------- c:\windows\system32\drivers\Oreans.sys
2009-06-07 08:55 <DIR> --d----- c:\program files\Paraben Corporation
2009-05-25 01:20 <DIR> --d----- c:\windows\system32\Adobe
2009-05-18 13:31 69,632 a------- c:\windows\system32\lfgif13n.dll
2009-05-18 13:31 462,848 a------- c:\windows\system32\ltkrn13n.dll
2009-05-18 13:31 450,560 a------- c:\windows\system32\ltimg13n.dll
2009-05-18 13:31 401,408 a------- c:\windows\system32\lfcmp13n.dll
2009-05-18 13:31 299,008 a------- c:\windows\system32\ltdis13n.dll
2009-05-18 13:31 206,336 a------- c:\windows\system32\ltefx13n.dll
2009-05-18 13:31 163,840 a------- c:\windows\system32\ltfil13n.dll
2009-05-18 13:31 57,344 a------- c:\windows\system32\lfbmp13n.dll

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-11-17 18:05 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2005-06-18 22:55 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 16:18:08.81 ===============

RELEVANCY SCORE 200
Preferred Solution: Security Compromised

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Security Compromised

Hello timetraveller61,

I'm not seeing any malware in your logs, let's see if an online scan reveals anything. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.



Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Read other 10 answers
RELEVANCY SCORE 52

ARGH! Auto updates will not close. Every time I try to end the process (wuauclt.exe), it just pops right back up again - usually in triplicate! I downloaded a security update released today (Bits update and the Intelligent Update Service) and now it won't go away. Is it compromising my security while it's annoying me? And since that update has been installed, NAV (2003) keeps telling me that it doesn't have access to c: but it does. Nothing is restricted that wasn't before.....
thanks
Kim (aka lost)
 

Read other answers
RELEVANCY SCORE 52

Can someone here help me as im really worried that my personal emails are showing up on this site?. I was talking to a member recently and now I see these details of mine and no more responses from the site? This is very disturbing
 

Read other answers
RELEVANCY SCORE 52

I had my world of warcrat account stolen. I have run all the security / cleaner programmes and this is the log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:18, on 26/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.e... Read more

Read other answers
RELEVANCY SCORE 52

Dear Tech Support guy,

Recently I had suspections of an keylogger on my system since every site I run had the same problem.
It had a code pasted in every php and js file and that code disables javascript on the website.

It could be several computers but I'm cleaning my main PC first.

I did an Avira scan and it seemed clean, but the infection got back.

One other thing I just noticed is that my "g" button doesn't work when I'm typing in this field. It does work in other programs. No idea if it has anything to do with the infection.
------------------
System Information
------------------
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 3 (2600.xpsp_sp3_gdr.090804-1435)
Language: Dutch (Regional Setting: Dutch)
BIOS: BIOS Date: 01/30/08 10:01:36 Ver: 08.00.10
Processor: Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz (2 CPUs)
Memory: 3072MB RAM
DirectX Version: DirectX 9.0c (4.09.0000.0904)
---------------
Display Devices
---------------
Card name: NVIDIA GeForce 8500 GT
Manufacturer: NVIDIA
Chip type: GeForce 8500 GT
DAC type: Integrated RAMDAC
Device Key: Enum\PCI\VEN_10DE&DEV_0421&SUBSYS_82771043&REV_A1
Display Memory: 512.0 MBClick to expand...

My HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:10, on 28-12-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\sys... Read more

Read other answers
RELEVANCY SCORE 51.6

Hey guys,
 
I'm a little out of my depth here so don't feel bad about telling me I'm a complete idiot.  I got to work this morning unable to connect to my network drives because "The system detected a possible attempt to compromise security." So I did a little digging through event viewer and found a few disconcerting entries:
 
At 6:14 AM this morning: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 69.49.130.122.
 
According to google this generally happens when there's high traffic to the server, but the server doesn't get high traffic ever and the office doesn't even open until 7.
 
Also there's an audit at 12:45AM: 
 
A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon GUID: {b8e5e60f-7cd0-e25e-5654-baf839662d0d}
Target Server:
Target Server Name: workstation-17$
Additional Information: workstation-17$
Process Information:
Process ID: 0xce0
Process Name: C:\Windows\System32\taskhost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occu... Read more

A:My computer's security may have been compromised.

Open the Start Menu and type cmd in the Search programs and features box.  Command will appear above the search box in the, right click and select Run as administrator.  This will open the Command Prompt.
 
When the Command Prompt opens copy the command below and paste it in the command prompt, then press Enter.
 
netsh int tcp set global chimney=disabled

Read other 2 answers
RELEVANCY SCORE 51.6

HI THERE.
MY LAPTOP IS BEHAVING STRANGELY, AND HAS BEEN FOR SOME TIME.HAS BECOME VERY SLOW WHEN SIGNING IN TO SPECIFIC INTERNET SITES ON SIGN IN.APPEARS TO BE DOWNLOADING SOMETHING(FAN KICKS IN) WHENEVER I OPEN EITHER A BROWSER OR USE THE PASSWORD MANAGER SYSTEM I HAVE.
MY CONCERN IS THAT THE LAPTOP ITSELF HAS BEEN COMPROMISED,BECAUSE PEOPLE I PREVIOUSLY TRUSTED HAVE HAD ACCESS TO IT OVER TIME.
IS THERE ANY WAY THAT
1. I CAN LOOK AT ANY INSTALLED HARDWARE THAT MIGHT HAVE BEEN ADDED,AND HOW? WHAT SHOULD I BE LOOKING FOR?
2. I CAN LOOK AT FOR ANY INSTALLED SOFTWARE THAT IS SUSPICIOUS. AND HOW?
IM VERY CONCERNED THAT MY PASSWORD MANAGEMENT SYSTEM , IN PARTICULAR.MAY HAVE BEEN HIJACKED
 

Read other answers
RELEVANCY SCORE 51.6

Somehow someone is seeing my passwords on my computer and accessing some of my accounts specifically my Verizon account and Vanguard so far.  I have a flag setup on credit bureaus and setup security features and alerts in all my accounts.  I'm posting Speccy and ToolBox below.  Curious if you see anything suspicious or have any recommendations?  Thanks
 
 
http://speccy.piriform.com/results/akVa5YbYYOg6ghUMB30gqou
 
 
MiniToolBox by Farbar  Version: 21-07-2014
Ran by zj (administrator) on 07-03-2015 at 16:20:55
Running from "C:\Users\zj\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/07/2015 02:51:02 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 11:32:28 AM) (Source: LMS) (User: NT AUTHORITY)
Description: LMS Service lost connection to HECI driver
 
Error: (03/06/2015 10:46:09 AM) (Source: LMS) (User: NT AUTHORITY)
Description: LMS Service lost connection to HECI driver
 
Error: (03/05/2015 09:24:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: NinjaTrader... Read more

A:Computer security compromised..

There is a chance that you are infected with a backdoor, bot or RAT. (remote administration tool). If this is the case more powerful advanced tools will be needed than can be used here in Am I Infected.Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 3 answers
RELEVANCY SCORE 51.6

Should this thread be here or in system security?

I only use the web-mail interface for my e-mail provider (gmx.com).

I sent 2 e-mails before my last log out.

Upon logging in again I have 2 mailer daemon return notifications, these are for completely different address to the ones I used. These address' are unknown to me and there is nothing associated with them in my sent items.

It's as if someone has been into my e-mail, sent some mail and then deleted them from the sent items and trash. Any Ideas?

A:E-mail security compromised?

  
Quote: Originally Posted by Sub Styler


Should this thread be here or in system security?

I only use the web-mail interface for my e-mail provider (gmx.com).

I sent 2 e-mails before my last log out.

Upon logging in again I have 2 mailer daemon return notifications, these are for completely different address to the ones I used. These address' are unknown to me and there is nothing associated with them in my sent items.

It's as if someone has been into my e-mail, sent some mail and then deleted them from the sent items and trash. Any Ideas?


Sub Styler, you are the victim of one of those bots that sends out email spoofing your email address. Happens all the time and most people get used to it and just delete them.
But as a precaution, you might change your password to a complicated one so that if your email password was compromised, then they would stop if your email had been compromised but I doubt that..

I have an email address that has been around since the late 1980's and every now and then a bot gets ahold of it and I get quite a few bounces. I get used to it and just delete them.

Rich

Read other 2 answers
RELEVANCY SCORE 51.6

I was on my computer tonight when my computer froze and I had to restart. I'm on a wireless connection run by my apartment building, and I have some personal security stuff on here but really am not too sure about the wireless security my building runs. I don't really download that much off of the internet, so I was surprised when strange things happened when I restarted my computer tonight. First, there was a brand new internet connection listed under my connections tab called Internet (1) that was not there before using WAN miniport. Also, the bar on the bottom of my screen is becoming distorted at times for no reason. And as I just now look, part of my screen is becoming cut off, with a strip of nothing but black along the right hand side of the screen. The time was changed to military time which I didn't do, and I can't change it back for some reason. I'm going to post my HJT log, and I also have RKR, ComboFix, and GMER on my computer as well. If anyone can help me, I'd greatly appreciate it, thanks!

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:18, on 07-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C... Read more

A:I think my computer security has been compromised?

If someone can please help me I would greatly appreciate it....thanks!
 

Read other 2 answers
RELEVANCY SCORE 51.6

PDF authors go to great lengths to protect their documents. But circumventing PDF security could be as easy as opening the document inside Google's e-mail service.http://www.pdfzone.com/article2/0,1895,1959501,00.asp

A:Pdf Security Compromised In Gmail

I notice that in the article, it appears that Google and Adobe have resolved the problem, and that Google is deploying a change to its interpreter.
Regards,
John

Read other 1 answers
RELEVANCY SCORE 51.6

ok guys ran into an interesting situation that i believe maybe some kind of hole in security
i was watching a show on netflix on my Xbox when all of a sudden a cursor appeared on screen moved around a bit, went to one of the options then went away and nothing was noticed again.
the only time i have seen a cursor like that is the one included with the new dashboard version of IE10,
however i feel this maybe some kind of issue with Win 8 and Xbox Smart Glass.
has their been any info on security threats in Win 8 yet?

A:Windows 8 Security Compromised?

I don't understand. Were you using Windows 8 or your XBox? You said one and then the other. If you're using Windows 8, why would you be watching netflix on your xbox when Windows 8 has a netflix player?

Read other 1 answers
RELEVANCY SCORE 51.2

Im having an issue trying to get through the security check that is the result of you reporting your fb account as compromised. More specifically, Im having a problem with the verify account stage. 90-99% of the time the options show as not available (supposedly exceeded hourly max of tries), and when they are available...
1. the friends' photos id only kicks me back to the previous page without showing any photos
A. claims too inaccurate
B. wont even show start page anymore...
2. the security question wont accept the answer
A. sure Ive given it several times now...
B. tried all or most of the possible answers...
ive attached a screenshot of what i see right away most of the time...
Anyone have any tips on how to potentially bypass this to gain access back into my account or anything? Ive tried and given up on fb's help center... should be renamed helpless- numerous messages through several different reports yields me still waiting on responce over 5 or 6 days later? pathetic!
OS: windows xp
browser: ie8
 

A:Help with security check- compromised fb account

if you still have control on your email .... you can ask them to reset your password.
 

Read other 3 answers
RELEVANCY SCORE 51.2

Hello. I'm copying from a similar problem. I keep getting popup windows.

Quoting:I've been infected with a trojan called Trojan.W32.looksky as well as an annoying popup that says "Windows has detected an Internet attack attempt... Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts and spyware! Click here to download spyware remover for total protection."
It then automatically directs me to a website to download programs where you have to pay."
I've used Spybot search and destroy,but that didn't solve the problem. I still get this red wallpaper that comes up as a desktop item and this annoying blinking red button on my toolbar with a white x. I've downloaded HijackThis! Please help me!

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:46 PM, on 9/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService... Read more

A:Constant Popups- security compromised?

Read other 6 answers
RELEVANCY SCORE 51.2

According to this item in yesterday's Sans.org diary; http://isc.sans.edu/diary.html?storyid=9136#comment

However, if you check the comments that have been received about the item, you will see that some people are not convinced. I wouldn't know because I don't own an 'i' anything and so don't visit the store.
 

A:iTunes account security compromised?

The original link in the Sans.org diary didn't work for me but this one does; http://appleinsider.com/articles/10/07/04/itunes_app_store_hit_by_developer_and_account_fraud.html

Fascinating (and worrying) stuff if you're a customer!
 

Read other 1 answers
RELEVANCY SCORE 51.2

http://www.theage.com.au/technology/security/security-vendors-antihacking-division-hacked-20110318-1bzul.htmlEMC didn't offer clues about the suspected origin of the attack. It said it recently discovered an "extremely sophisticated" attack in progress against its networks and discovered that the infiltrators had made off with confidential data on RSA's SecurID products. The technology underpins the ubiquitous RSA-branded keychain "dongles" and other products that blanket important computer networks with an additional layer of protection.

A:EMC's RSA Security System Compromised and Broken Into

EMC said it doesn't expect the breach to have a meaningful impact on its financial results.EMC's stock [EMC] was down 1.25 percent in after-hours trading following the news. In a regulatory filing, EMC said it "does not believe that the matter described in the letter and note will have a material impact on its financial results." http://www.pcworld.com/businesscenter/article/222522/rsa_warns_securid_customers_after_company_is_hacked.htmlWHEW! That's a relief! As long as it doesn't affect (effect?) the stockholders or bottom-line, all's Okie-Dokie, no? (Insert sarcasm emoticon HERE) http://www.nytimes.com/2011/03/18/technology/18secure.html?src=buslnDespite the lack of detail, several computer security specialists said the breach could pose a real threat to companies and government agencies who rely on the technology.One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a "master key" — a large secret number used as part of the encryption algorithm — might have been stolen.The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems. Mr. Diffie is vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers.Open Letter to RSA Cu... Read more

Read other 2 answers
RELEVANCY SCORE 50.4

I have tried all of the resources I could find, but none touch this bug. AVG found four trojan horse bugs and removed them, but they keep coming back.

I have read the prep guide and have the DDS and ARK logs as requested:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aspen Endodontics at 11:24:36.18 on Thu 05/05/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2252 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explore... Read more

A:google redirect/windows security compromised PLEASE HELP!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 50

Heres a few sample of what im seeing in event viewer

An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
Impersonation Level: -
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
_____________

Special privileges assigned to new logon.

Subject:


Security ID: NETWORK SERVICE


Account Name: NETWORK SERVICE


Account Domain: NT AUTHORITY


Logon ID: 0x3E4

Privileges: SeAssignPrimaryTokenPrivilege


SeAuditPrivilege


SeImpersonatePrivilege

______________________

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\guard64.dll
__________________
And the one that troubles me the most is this one:

An attempt was made to query the existence of a blank password for an account.
Subject:
Security ID: LOCAL SERVI... Read more

A:Multiple security audit events, Is my sytem compromised?

I would download and run MalwareBytes, using a rootkit scan and a reboot, running in "safe mode with networking" enabled.

Read other 3 answers
RELEVANCY SCORE 49.6

Noticed this when I had accidentally selected Keep me signed in on a PC not belonging to me when checking my Outlook.com emails using Windows 7, IE10 and Outlook.com web interface. Need help to find out how to avoid this kind of situation.

Scenario: Opening Outlook.com with IE10. Logging in with my [email protected], accidentally selecting Keep me signed in. All is well, check mails, reply to a few, sign out, closed IE10, shut down the computer.

Was leaving when someone I was waiting to go with asked me to wait 10 more minutes. With extra time in my hands decided to check my other Hotmail account, too. Booted the same PC, opened IE10, went again to Outlook.com and to my surprise it opened to my outlook.com account I had checked earlier, directly without asking for credentials.

I was absolutely sure I had not only closed the IE10 and shut down the PC, but first selected Sign Out from Outlook.com menus. In my opinion this, selecting to log out / sign out should invalidate earlier Keep me signed in selection?

Came home, decided to test this. Here's how it went:
Opening Outlook.com on IE10, entering my [email protected] credentials and selecting Keep me signed in (this time deliberately):

Web interface opens, everything OK:

Selecting Sign Out:

Sign out successful:

Logging in with another Hotmail account, this time with [email protected], not selecting Keep me signed in:

Signing out from this second account:

Sign out successful:

Closed IE10. Reopened IE10, th... Read more

A:IE10 bug? Hotmail / Live / Outlook web interface security compromised?

I don't know if this might help as it's about Win8/IE10, but you can take a look.
Maybe IE10 is saving the registry cookies noted in the the last post (Dec. 20, 2012)?
If you have a PC with IE9, could you test that and see if you have the same issue?

Disable Automatic Microsoft Website signon in IE10

Read other 3 answers
RELEVANCY SCORE 49.6

DDS log file as requested:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.17.2
Run by Deb at 13:13:41 on 2013-05-30
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2037.1363 [GMT -5:00]
.
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG update module *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\RECIPE~2\bar\1.bin\2jbrmon.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program File... Read more

A:Internet Security 2014 infection, CDROM.sys compromised by zero.access

Hello loadblok I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

Read other 27 answers
RELEVANCY SCORE 48.8

we have been informed by our third-party forum provider that user login details of ESET Security Forum members have been compromised...We recommend that all ESET Security Forum users change their passwords...ESET Security Forumsecurity incident on forum.eset.com

A:ESET Security Forums hacker...user info/passwords compromised

What are these hackers doing, competing for bragging rights? Surely they know that any financial details & license keys aren't stored on the forum sites.
 
Last year,  AVG was successfully hacked, during the same time there was an unsuccessful one directed towards Avast. More recently, it was Avast. Now it's ESET.
 
It's becoming a game of "Who's Next?"
 
Only I don't see the humor. Security breaches are of serious concern to the majority of us & having to swap passwords on a regular basis is already necessary, but for crap like this ticks me off, as we have to keep up with these w/out writing them on paper. I don't trust master passwords, nor apps that creates them. What if they're hacked? Unfortunately, there's a few who doesn't care, about this or much anything. These are usually the ones with the least to lose, however will be screaming bloody murder if $2 is missing, if it's noticed.
 
This is the exact reason why I don't directly access my back account online anymore. I call to get my balance & take notes of my transactions to verify accuracy & use a 3rd party provider to pay bills & merchants. And never recycle passwords used for forums & email accounts for this purpose. It's just too risky.
 
Cat

Read other 4 answers
RELEVANCY SCORE 48.8

When I attempted to go to Gmail.com earlier I was given a warning page from Firefox that said this:This Connection is UntrustedYou have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.Technical Detailswww.google.com uses an invalid security certificate.The certificate is only valid for the following names:www.xing.com, xing.com(Error code: ssl_error_bad_cert_domain)I had been using this same computer for a few hours previous to this and had been on Gmail during that time with no problems, it just seemed to happen at random when I started Firefox up again. I wasn't on any unordinary sites in the time between when Gmail worked and when it gave me the error message and nothing else out of the ordinary was happening with my computer either. I have never heard of or visited "xing.com" before (apparently it's some sort of German social networking site) and I have no idea why it appeared in the error message. I cleared my cache and everything else and restarted Firefox but was still met with the same warning when attempting to go to Gmail. I googled it and found that this error is sometimes caused by an incorrect system date/time, but I verified that mine is correct so that's not the issue. I then tried to access ... Read more

A:Afraid computer security may be compromised; Gmail showing up as "Untrusted Connection" etc

Hello,that sure does sound odd. lets do a malware scan and see what comes back.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the d... Read more

Read other 3 answers
RELEVANCY SCORE 47.6

Esteemed Forum Members,

This is my first posting here. I am a Java programmer/developer. And I look forward to participating. Although I generally find that I learn more from reading the posts of the knowledgeable folks here than with me talking.

My current question is to see if anyone knows any more about a computer affliction that has affected two friends in the past week. (They are in different groups, so these are separate "afflictions".)

The two are remarkably similar so I am hypothesizing that they are basically the same attack. I suspect that if I have bumped into two of these cases, you folks may have already been there and done that.

As I don't have access to either of their computers, and as they are rather naive MSWindows users, it might be difficult for me to run the various diagnosic tools on their systems.

Basically the symptom is that they received an email from a known source. (Yeah, I know...) And clicked on a link to one of the {canxhealth health24x medhealthx xmedx } dotcom websites. The result is that, at a minimum, their Yahoo email account was compromised and an email was sent out to all of their contacts. The sent email has no subject and contains only the link to the malware website.

Googling through the web, I see suggestions ranging from changing the email account password through reformatting the hard-drive and resetting external routers. I also see claims that none of the major anti-virus/firewall applications detect this... Read more

A:Yahoo Account Compromised, possible system compromised

Hello Chuck, First i will move you one forum down to Am I Hacked.Please read the first pinned topic there, Who To Contact If Your Yahoo Webmail Account Is Hacked Next follow tese instructions,also a pinned topic there How to receive help in the Am I Hacked? forum

Read other 5 answers
RELEVANCY SCORE 47.6

Hello.  I seem to be sharing my firewall privileges with a remote hacker and a system restore didn't help.  A similar posting at Tom's Hardware pointed to a corrupted/malware rundll32.exe file creating extraneous malware files (guard.tmp, filename.dll) in his Win/System32 folder.  I suspect I have something similar though couldn't find those same file names.  (His posting is here: http://www.tomshardware.com/forum/134388-45-mysterious-rundll32-administrator-privileges )
 
I have tried kaspersky, combofix, rskiller, hitman, symantec, emsisoft, avg, symantec, windows defender, etc.  I am not a tech guy by trade but serve as my own IT guy some months so any help I get is welcome.  I probably am supposed to be posting "hijack this" findings or something as a first step but haven't done anything like that in 12 years so I figured I would post my problem first.  Thank you.

Read other answers
RELEVANCY SCORE 34.4

Hey guys, my computers been acting really slow and strange lately. It also has a new user called IUSER_Admin on it.

Here is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:33 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOW... Read more

A:HELP i think i have been compromised!

Hello and welcome to TSF

==========
Download RSIT by random/random and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

============
Logs Required
log.txt
info.txt

If there is no response to this post within 72hrs, this thread will be closed.

Read other 6 answers
RELEVANCY SCORE 34.4

Hi,
Once again, I have been forced to ask for help. Allayed by the fact no infections were found on my machine earlier I soon relapsed into complacency. But almost immediately my solace was short-lived. For the past 1 week my computer has been acting up for no apparent reason. Something is horribly wrong with the cursor and application tabs. At times my cursor refuses to do what I want. I keep clicking away at 'x(s)' but application windows just sit there frozen. Instead of closing out, my cursor freezes up. Then yesterday my comp. simply blacked out. A message reading ' Not compatible with windows 64-bit....' mysteriously appeared but on restarting the computer it was gone. Pulling on scroll bars using the cursor is another goof-up. No matter how hard I try, scroll bars refuse to pull up or down. After several tries the picture gives way. I have a penchant for watching youtube videos ( engineering simulations). Is it possible that may be the culprit? Anyhow, I have posted/attached the following logfiles.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_27
Run by SHAHJEE at 15:19:14 on 2011-11-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.925 [GMT -8:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-D... Read more

A:Been compromised again!

"BUMP, please"

Read other 19 answers
RELEVANCY SCORE 34.4

I have a Sony PC running windows XP. My Zone Alarm firewall blocked iexplorer.exe trying to access the internet to some unknow IP address. I've scanned my system with AVG anti-virus and with spyware from Zone Alarm and Spysweeper but they didn't detect anything. Could I have been compromised?
 

A:Have I been compromised?

Bump
 

Read other 1 answers
RELEVANCY SCORE 34.4

Need help getting rid of the bad guys

Here is my HJT log


Logfile of HijackThis v1.97.7
Scan saved at 5:12:55 AM, on 7/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\RXMON.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.0\CM_CAMERA.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\PLAYLIST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTIVE\ASSTCOMMON\MOTIVEDIRECTORY.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MAD.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MPBTN.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL... Read more

Read other answers
RELEVANCY SCORE 34.4

Why am I getting buried here?
 

A:Compromised...but not sure how or how bad...help please

I know I got some bad spyware from somewhere and keep getting all kind of weird notifications from spyware doctor that something has been blocked. Also I get notification that programs could not start at start up. I then run a scan with Spywaredoctor or superantispyware or adaware and it seems to get rid of the problem, but the next time I start up there is a new problem. The most recent one is "TA_start failed to begin correctly at start up" or something such. I feel like I'm killing the weeds but not the root.

I downloaded hijackthis and made a log. Hopefully it has everything needed. Spywaredoctor tried to blaock something it was doing.

Any help you can provide would be super.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:22:55 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Avid\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nort... Read more

Read other 3 answers
RELEVANCY SCORE 34.4

TL;DR I went to the website in this picture (http://puu.sh/pQ2ll/784eb6bbe8.jpg) and downloaded a file disguised as a flash update and executed it repeatedly like a moron. It opened a command prompt with a title I don't remember and closed quickly, nothing has happened since. I don't know what it did or if it's even an active threat.
 
I'll put this at the top for those disinterested in the story, I've run Malwarebytes Anti-Malware to no avail, I ran rkill.com and it interacted with nothing, and after that I did a system restore to a point two days ago. I'm aware system restore is dubious at best for virus and malware removal, but I can't think of anything more appropriate to do for something I doubt would even flag as spyware than simply factory resetting my laptop, which I still might do. It feels as if it's running slower than usual, but it's so barely noticeable that it might just be that I rebooted it for the first time in a while combined with placebo. Might I still be infected?
 
I woke up this morning and popped my laptop open, and within minutes of logging onto Steam, a person on my friends list that sends messages to me sporadically with large gaps in between sent me a link saying he found me in a video on Twitch for a game that I play very often. Being early morning, from a friend that does this often, I clicked the link, but instead of the video playing, the box simply showed the "You must update Adobe Flash Player" notice that looks exactly like it woul... Read more

A:Am I still compromised?

Adware Cleaner Scan.
 
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Scan button.
When the scan has finished click on Clean button.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
 
JRT Scan.
Please download Junkware Removal Tool and save it on your desktop.
 
Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log is saved to your desktop and will automatically open.
Please post the JRT log.
 
Adware Removal Tool Scan.
 
Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.
 
 

 
Hit Ok.
 

 
Hit next make sure to leave all items checked, for removal.
 

 
 
The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK ... Read more

Read other 1 answers
RELEVANCY SCORE 34.4

Recently my son went on my pc and clicked a link over discord from someone he didnt know. The file was 011.exe. This in turn gave someone full access of my pc and i want to know what to do and if a factory reset will get rid of this persons connection to my pc
 

Read other answers
RELEVANCY SCORE 34.4

I attempted to follow the malware prep guide but stalled out on step 7 when DDS would not run. I followed the threads in the forums to download and run RSIT and have posted the logs below. I have also included the inital logs for recent events from Norton Internet Security which keeps flagging and removing local virus and blocking attacks from the internet. Any help is greatly appreciated.My basic problem is that Norton is locating and eliminating a virus every time I boot my pc. Norton also picks up and blocks some internet attacks everytime I attach to the internet. However each time I restart my pc the virus re-appears.thanks!NORTON RECENT SCAN DATA:Category: BackupDate & Time,Severity,Activity,Status,Recommended Action,Action,Location,Media Type5/15/2010 10:00 PM,Info,Backup performed to I:,"Canceled, Canceled",None,Backup,I:,CD/DVD DriveCategory: Firewall - Network and ConnectionsDate & Time,Severity,Activity,Status,Recommended Action,Subnet Identifier,Gateway Physical Address,Category,Gateway IP Address5/15/2010 9:45 PM,Info,Connected to a protected network. (127.0.0.0/255.0.0.0),Protected,No Action Required,127.0.0.0/255.0.0.0,,,5/15/2010 9:45 PM,Info,Connected to a shared network. (00 12 17 C5 E0 D9),Trusted,No Action Required,,00 12 17 C5 E0 D9,,5/15/2010 9:45 PM,Info,"Protecting your connection to a newly detected network on adapter \"Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport\" (IP ad... Read more

A:PC has been compromised

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 2 answers
RELEVANCY SCORE 34.4

IE is doing weird things like not allowing me to login, not allowing me to get past the first page in the forums of a website I use regularly, going very slow. I tried FF and it seems to work a little better but I get messages that I am sending over unencrypted pages even on TSG. I added a bunch of extensions but I still feel insecure. The NYTimes page comes up but I cannot get any articles to come up when I click them. I can get videos and photos but no articles. I tried FF and now it goes to a login page when I click on an article. It has never been a login sort of page.

The only out of the norm thing I have done is watch some videos of Bettany Hughes Ancient World series. After I was done my machine was slow. So I restarted it and when the desktop was up I saw a window appear that was just the upper right corner of a browser page. There were some letters the _ the box and the X. It did not respond to me clicking on the maximize box or the close X. Then it just disappeared on its own a few seconds later.

I have scanned with Avira free, Defender, and Malwarebytes all of them find nothing but neither of my browsers work properly any longer and I think I am compromised.

Any help?
 

A:I think I am compromised

Read other 16 answers
RELEVANCY SCORE 34.4

I really hope someone can help me. I am using windows XP and lately it has been doing everything imaginable. It started with opening web pages completely unsolicited. Then it would redirect pages that I was on and try to install things.After that it would not open some web pages unless I allowed all cookies and lowered the privacy to LOW. It Automatically closes some programs for no reason, sometimes it just restarts whenever. The last time that happened it removed all my settings and if I reset them it does not keep them and I have to start all over again. I have even had to reinstall my internet connection and email. It does not even save my desktop display. Everytime I look directly under the C drive I have all kinds of applications there which I continulaay delete. Oh, and it is so slow, it has 512 MB and 1.8 GHz with 80 GB HD.

I have run AntiVir and it claims that there are no viruses, or trojan horses ot anything else, I ran HiJack this, I ran cwshredder and it says that there is nothing. I don' know what to do!!! Please someome help me?
 

A:Very compromised PC

Read other 16 answers
RELEVANCY SCORE 34.4

Hi there

My system has been compromised just recently and would like your help on the matter.

Here's what I've done so far: Installed and ran "CCleaner", removed whatever it found. Did the same with "Ad-Aware" and it actually found some trojan of some sort and removed it. Then I intalled "Spybot Search & Destroy" and did a search with that one. And finally I ran a virus check with "NOD32" and topped it off with "MalwareBytes' Anti-Malware". "NOD32" found some trojans in "Java" which I deleted manually and did a new search, where nothing showed up. I've got logs of the Java trojans. So I've updated "Java" now as well, so that hopefully will close any security holes.

So I'll post a log from MBAM and HJT and would really appreciate your opinion on this matter. Are my system okay now, or can you still see something?
Thank you.

Malwarebytes' Anti-Malware 1.44
Database version: 3874
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16-03-2010 23:58:52
mbam-log-2010-03-16 (23-58-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 187944
Time elapsed: 20 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No... Read more

A:Compromised

Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 34.4

i went to amazon last night, tried to buy a gift card and got the attached warning.  amazon help couldn't tell me why he said everything is up to date. i also noticed my some of my browsers options had changed
 attach.txt   8.68KB
  0 downloads
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.51.2
Run by Bobz at 16:03:58 on 2014-07-16
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8182.5220 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\sy... Read more

A:compromised ??

Hello and Welcome on board Bobz1x,my Name is Machiavelli and I will assist you with your problem.If you booted into safe mode on your computer then print my instructions!I'm in the 'Malware Staff Team' and will provide you with advice:To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.Below are a few tips:Removing Malware is usually very difficult.We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!Please follow these instructionsIf you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!Please stay in contact with me until your problem is resolvedAs Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.Please don't run any other tools without consulting with me as this can complicate finding and removing all MalwareDon't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!Read my post completelyIf you don't do so, you may make mistakes that could result in your System crashing by you... Read more

Read other 13 answers
RELEVANCY SCORE 34.4

Hi,

For the past 3 days my computer has been acting up for no apparent reason. Something is horribly wrong with the system volume. Each time I hit the volume button the bar increases/decreases asynchronously. In other words, the volume continues to increase/decrease long after the f10/f9 buttons have been released. If this weren't enough windows seem to open and close by themselves without warning. In addition, while typing, parts of paragraphs magically highlight themselves and then erase at will in the midst of completing an entire sentence. Since the system can be recovered at anytime, I did not take the trouble of compiling a boot cd. It looks like I've been compromised! Any help is much appreciated. In compliance with the wishes of the moderator I have posted/attached the following logfiles.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_27
Run by SHAHJEE at 15:19:14 on 2011-11-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.925 [GMT -8:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\... Read more

A:Been Compromised!

Hello and welcome back to TSF Virus & Malware support. My name is Taylor and I'll be helping you with your fix.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

Read other 4 answers
RELEVANCY SCORE 34.4

i run trend paid internet security 2010 .. a colleague was hit by gumbar and another by hacktool rootkit ... my machine slowed to a crawl last night, minute between clicks .. but a reboot and i 'seem' to be running normally and have had a clean scan from that, prevx, and malwarebytes, but I'm still paranoid, so I really appreciate any insight into the logs I'm posting per the instructions here http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ (i included hijackthis log too just in case)i'm on a vista 64bit .. and running GMER, i only had services/registry/files / ADS available for selection.. system devices.. etc .. all were grayed out.DDS (Ver_09-12-01.01) - NTFSX64 Run by websitewendy at 11:55:02.28 on Thu 02/18/2010Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.4094.1108 [GMT -8:00]SP: Windows Defender *enabled* (Updated) coloro:red4============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC... Read more

A:have i been compromised ?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

Read other 15 answers
RELEVANCY SCORE 34.4

I received one of these scam "I need money" emails from a friend and immediately realised that her computer had been hacked. I replied telling her so.Now I have received another email from her with a new email address saying that since she was hacked she had been unable to receive anything at the original address, she thinks everything went to the hackers. I am just wondering whether my response to the original email has put me at risk and if so what should I do bout it or is it too late.
Nita
 

A:Am I compromised

Read other 6 answers
RELEVANCY SCORE 34.4

I Did a Dumb Thing!!!

I got an email message that my ATT Worldnet account had to be updated or my account would be terminated.

Since Cingular recently purchased ATT services, I thought it was legit and part of the transition of services.

I clicked on to the website, which asked for my name, password, address, phone, and credit card number. I typed in the first 4, but hesitated at the credit card line, since I pay by mail.

The site window was set up with "continue" keys. Because I did not give my credit card info, it would not continue to the next sceen. I then closed out th screen using the Windows close icon box in the upper right corner.

I called ATT and found out the website was a fraud!!!

My Question:

Since I closed out everything before reaching the "send" screen, is my name, address, and password still secure, or did that info still reach the scam artists?

I know it was a dumb mistake, but will appeciate any advice about the damage done, and what, if anything, I can do to correct it ( I ran spyware and antivirus check immediately, with no problems reported).

Thanks

adf
 

A:Is my ID compromised?

As long as you did not transmit any data to the website then your information is still secure but just to ease you mind you should go to the official website and change your password.
 

Read other 2 answers
RELEVANCY SCORE 34.4

Hoping someone can provide some assistance here.... need system analyzed. Have compiled logs & data for troubleshooting...

Windows XP Home v 2002, SP 3
Intel Celeron 2.4 GHz
2.39 GHz , 256 MB RAM
Hard wired to : Arris Modem #TM502G---->Buffalo High Power AirStation A&G: (NAT enabled & PNP disabled, Intrusion detector enabled, etc... MAC filtered, not broadcasting SSID, etc...) ---->Motorola VT1005 (set statically)---->PC (Broadcom 440x 10/100 Integrated Controller w/TCP/IP set statically, and NetBios disabled)
Agnitum Outpost Firewall Pro ver. 4.0.971.7030 (584): (Stealthed as much as I could without sacrificing connectivity)
Avast! v. 4.8 Home Addition Build Dec. '08 (4.8.1296) : (Stealthed)
ProtoWall : (need to update lists, there are a few certain sites I have to disable ProtoWall to visit...)

Wondering if all my PC issues aren't due to my system being compromised. Have been running extensive scans. Are you familiar with analyzing any of the following logs: DrWeb, FPort, HijackThis, RootkitRevealer, StartDreck, SpyBot S&D?

Strange thing that occured though, right after I started noticing these issues, I received an email from my web host provider, stating that one of my websites had been compromised and my web page had changed, here is what they said:

"Recently, we noticed that your username and password for your ftp account hosting has been used by someone to alter your main index.html (or index.htm, index.php) file for ... Read more

A:Has My PC Been Compromised?

You have done most everything that we can recommend in this particular forum. HJT logs should not be posted hereWe have a revised procedure for HJT that you should read first:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Then post the log in the proper forum here:http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Read other 3 answers
RELEVANCY SCORE 34.4

i went to amazon last night, tried to buy a gift card and got the attached warning.  amazon help couldn't tell me why he said everything is up to date. i also noticed my some of my browsers options had changed .

A:compromised ??

Possibly, but we should get a deeper look as financials are involved. Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

Read other 9 answers
RELEVANCY SCORE 34.4

I had a post in another forum, but after running MBAM(no results). I thought I should post in here. If not, my apologizes, please move me to the correct area. My daughter plugged into a USB port, some cheapo camera she had. I got an error message on my screen(don't recall). I rebooted and now my CPU fan seems like it is about to launch. Any and all advice is appreciated. My 9 year is upset, she thinks she broke it. THANKS!

A:I think my Pc might of been compromised.

Hello is this an XP PC or another? The error message would help if you see it again. Open the Tazk Manager (press CTRL+ALT+DEL). Click on Processes Tab and is something using a lot of your CPU ?Run ATF and SAS:From your regular user account.Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click that browser at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved password... Read more

Read other 6 answers
RELEVANCY SCORE 34.4

Hi there,

Ried in the virus/malware section was previously helping me out. No virus/malware was detected on my system. As a result he referred me to you guys since I am still having problems. My machine started acting up after I installed RealWorld Cursor Editor. The cursor repeatedly froze up for no reason. As a result, I went ahead and uninstalled real world but the issue still continues to persist. In the interest of time, a summary of all the steps he took is posted below:

1. Tried System Restore from both Normal Mode and Windows Recovery Environment and it fails to complete.

4. Mention that issue seems to have begun after installing RealWorld Cursor, and that it had been uninstalled.

3. Reviewed detailed logs for any remnant RealWorld entries and none found.

4. Issue does not occur in Safe Mode.

A:Been Compromised again!

Hi, press the win + r key together, in the run box type:- msconfig, open the services tab and put a check in "hide all microsoft services" look at the remaining services for anything to do with the program, uncheck it and apply, also look under the startup tab anything that looks like it's associated with the program uncheck. If unsure you can still uncheck items (just leave virus and malware programs checked) If you want more info about items google OR post back.

Since that program effects Icon and mouse cursor we should try resetting the default registry settings, this will do no harm. Run the attached .zip file then double click on the returned .reg file allow to be added to registry. Restart computer.

Ico,zip.ZIP

Read other 8 answers
RELEVANCY SCORE 34.4

Hi,My sister downloaded a program thinking it was a utorrent program but it didn't install anything (that she knows about). Its from this page hxxp://onhax.net/utorrent-plus-crack/ Halfway down theres a green direct download link says "Crack and setup. Direct download" The file is "Crack and setup.exe" Step I've taken. I've deleted the file. I've run Adwcleaner This is the result # AdwCleaner v4.102 - Report created 27/11/2014 at 14:11:26# Updated 23/11/2014 by Xplode# Database : 2014-11-26.1 [Live]# Operating System : Windows 8.1  (64 bits)# Username : Evan - ARMYPC# Running from : C:\Users\Evan\Downloads\AdwCleaner.exe# Option : Scan***** [ Services ] ********** [ Files / Folders ] ********** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] *****Key Found : HKCU\Software\systweakKey Found : [x64] HKCU\Software\systweak***** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17416-\\ Mozilla Firefox v33.1 (x86 en-US)*************************AdwCleaner[R0].txt - [659 octets] - [27/11/2014 14:11:26]########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [718 octets] ##########   And I've run JRT.exe and tdsskiller.exe They found nothing..  So I'm thinking maybe the file just affected some registry tweaks. Thanks for your help. I just want to be sure that theres nothing suspicious on my harddrive. I am using Windows 8.1, its fully updated. Evan.Mod Edit by quietman7: D... Read more

A:Not sure if I've been compromised

Hello there  
 
I'm LighthouseParty and I'll be assisting you with your concern today. Please keep in mind that I have a few guidelines I need you to follow:
Don't run any other tools other than what I provide you with.
Don't install/remove any programs other than what I provide you with.
Don't perform a system restore unless I ask you to.
 Download MiniToolBox
Click here to download MiniToolBox to your desktop.
Double click MiniToolBox.
Select the following and then press go.
Post the log in your next reply.
Flush DNS
Reset IE Proxy Settings
Reset FF Proxy Settings
List Installed Programs
List Restore Points
 
 Install and run a scan with Malwarebytes Anti-Malware
Click here to download Malwarebytes to your desktop.
Double click mbam-setup-x.x.x.xxxx and follow the on-screen instructions.
On the dashboard, click update now.
After that, click scan now - the scan will now begin.
When the scan's completed, select apply actions - make sure the action is quarantine.
Restart your computer.
How to get the log.
On the dashboard, select the history tab and click application logs.
Select the log which has the time and date of when you did the scan.
Click copy to clipboard and paste it into your reply.
 Download Security Check
Click here to download Security Check to your desktop.
Double click SecurityCheck and follow the on-screen instructions.
A log should open, called checkup.txt.
Please post... Read more

Read other 4 answers
RELEVANCY SCORE 34

My son called this afternoon and said he had an issue with an IPhone and in order to get support he did a Google search for Apple support. The first hit in the results was the following link;

Amazingtechsupport

He called them and the tech, who had a heavy accent, asked him to attach the device to his computer and then requested remoted access. FOOLISHLY and after my giving him several warnings to never allow remote access he did it anyway. He explains what happened next as follows;

The tech ran a "dos" emulation window and the screened scrolled for about 15 seconds and at the bottom of the screen was the following message; "Your system has been hacked". At this point my son called me to explain what just happened and during him explaining things the tech proceeded to draw, with what my son said looked like using a pencil, to make a symbolic sad face; ie, :-( Then he circled the "Your system has been hacked" and said "Do you see that?". By now I had obtained enough detail to say disconnect your system and get off the phone, which he did.

My questions are;
1. Does anyone know if the link is associated with a legitimate company?
2. Is there anyway I can check the system for a keylogger, nefarious software or damage?

I have had him run a scan with MBAM and Avast and both came back with no infections detected, although I doubt from what he discribed that the system would be infected with malware or a virus.

A:System may be compromised

  
Quote: Originally Posted by Sir George



My questions are;
1. Does anyone know if the link is associated with a legitimate company?


Minimal chance it's legit.

I counted at least a half dozen grammatical, spelling, and punctuation errors in a quick reading of the first page presented in that link. That's been a foolproof indicator of scams that has yet to fail me.

The name alone makes me roll my eyes. That would be enough to make me look elsewhere.

http://stuffgate.com/amazingtechsupport.us

Apparently been around 2 months.

Read other 9 answers